Always use ffuf for fuzzing files and use gobuster for fuzzing directories
If local privilege escalation exists on windows system for services listening on internal port and exploit is written in python or bash forward that service port and run the exploit in kali.
In active directory environment if we want to pivot to internal windows host from a compromised windows host check if you can receive reverse connection on attacking host on port 53 since AD is usually configured to allow DNS port 53 to communicate to external hosts. eg:
Find where log files are located in linux hosts(access.log and error.log)
Error clock skew too great
If powershell reverseshell doesn't work convert it to windows base64 and try executing
Since windows does everything in UTF-16 little endian we need to convert our execution code and then base64 it.
Adding DNS entry in AD environment for stealing ntlm hashes
There is something in Active Directory called ADIDNS(Active Directory INtegrated Dns) where AD users can configure computer account objects which they control to point to an arbitary IP address. Now this feature can be leveraged if an attacker who has compromised a regular domain user adds DNS A record ( also known as Address record which indicates ip address of a given domain ) to point to address where responder is listening and if someone visits the address or some script is setup by IT team to check if all the web sites in the AD are up abd running as in intelligence box from hackthebox as shown below.
Here an attacker who has a regular domain user compromised can add DNS A record pointing to his ip address where responder is listening and since the above script setup by the IT team checks all dns web domains using Invoke-WebRequest their NTLM hash can be stolen. For this we can use https://github.com/Sagar-Jangam/DNSUpdate
Enabling PS-Remoting
Having an elavated powershell prompt on victim host we can force powershell to work with winrm.
Activating winrm remotely
Activating winrm remotely from linux
Creating powershell credential object
Moving laterally to another computer on domain
Windows shell upload via website
If the windows host is running IIS service and we can upload in any location in the web we may be able to upload an aspx reverse shell
Decrypt Powershell SecureString password
If we need to transfer binary or executable file via ftp we should always use binary command first then enter put file.exe
If mimikatz doesn't work on the host we can save the sam,system and security hive transfer it to our attacking machine via smb and use secretsdump.py to extract all hashes
Windows can execute executable files directly from UNC path
This gets directly executed
To perform tcp port scan On old linux systems where nmap does not run(May need to run more than once to filter good results)
To perform udp port scan on old linux where nmap does not work(May need to run more than once to filter good results)
Change smb password remotely from linux
Bypass UAC
fodhelper powershell script can be used to bypass UAC only if our compromised user is member of administrator group
Powershell Command History file location
If powershell errors during execution of PrivEsc scripts(eg: Access to the path is denied, operation might require other privileges, etc)
check if the running reverse shell is 64 bit process if the host is 64 bit and 32 bit process if the shell is 32 bit process
IF host is 64 bit and our process is 32 bit or vice versa make sure to catch the reverse shell via
or upload nc64 to the host and catch the reverse shell or get cmd reverse shell and launch 64 bit powershell from there.
Hashcat with salt
In the hash file put the format as hash:salt instead of only the hash.
MSSQL configuring xp_cmdshell if not enabled
MSSQL Injection xp_cmdshell RCE
MSSQL Injection capture credentials when xp_cmdshell doesnot work
MySql Injection RCE in windows when smb is running:
MySql injection php wrapper trick
MySql Injection OUTFILE RCE:
MySql Injection load_file() read system files
Wireshark Group
If our compromised user is in (wireshark) group we can sniff any packets on any available interfaces of the comrpomised host. Below we are sniffing on loopback interface and saving the file as test.pcap
Enabling WDigest authentication to force system to store credentials in plaintext so that next time some employee logs in their creds will get cached in memory
This technique is usually applied to real world red teaming
Sqlmap force ssl
Use --force-ssl flag in sqlmap if you are attacking web application using https
Shell as another user on windows host
If we have low privilege access on a windows host and we get credentials or another user or administrator but port 445 is closed externally and we cannot psexec, winrm, rdp or other services are also closed, Enter-PSSession or Invoke-Command -ComputerName didnot work RunasCs or runas.exe also did not work there are another two ways
First Way
We can create a powershell credential object for that user using their password and use Start-Process in powershell with powershell reverse shell to get reverse shell as that user. In compromised host create powershell credential object for that user
Now convert Invoke-PowerShellTcpOneLine.ps1 with your ip and port and convert this file to windows base64
Finally we can start powershell process with our reverse shell in the context of administrator or the found user as
We will receive reverse shell as the compromised user.
Second Way
If port 445, winrm, rdp, or any such port from where we can gain access is listening internally we can forward that port to our local machine and execute psexec.py or evil-winrm, or rdp to get reverse shell or access as another user.
